That left 320 reports of new vulnerabilities in 2019, which spanned across 84 of the top level projects. These 320 reports are a mix of both external reporters and internal; for example where a project has found an issue themselves and followed the ASF process to assign it a CVE name and address it.
Read full article on Apache Software Foundation Blogs